Skip to content

DISA STIG for SUSE Linux Enterprise 15

Rules and Groups employed by this XCCDF Profile

  • Secure Session Configuration Files for Login Accounts

    When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the...
    Group
  • Ensure Home Directories are Created for New Users

    All local interactive user accounts, upon creation, should be assigned a home directory. <br><br> Configure the operating system to assign home dir...
    Rule Medium Severity
  • Limit the Number of Concurrent Login Sessions Allowed Per User

    Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions...
    Rule Low Severity
  • Set Interactive Session Timeout

    Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of ...
    Rule Medium Severity
  • User Initialization Files Must Not Run World-Writable Programs

    Set the mode on files being executed by the user initialization files with the following command:
    $ sudo chmod o-w FILE
    Rule Medium Severity
  • Ensure that Users Path Contains Only Local Directories

    Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working dir...
    Rule Medium Severity
  • All Interactive Users Must Have A Home Directory Defined

    Assign home directories to all interactive users that currently do not have a home directory assigned. This rule checks if the home directory is p...
    Rule Medium Severity
  • All Interactive Users Home Directories Must Exist

    Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create t...
    Rule Medium Severity
  • All Interactive User Home Directories Must Be Group-Owned By The Primary Group

    Change the group owner of interactive users home directory to the group found in <code>/etc/passwd</code>. To change the group owner of interactive...
    Rule Medium Severity
  • Ensure All User Initialization Files Have Mode 0740 Or Less Permissive

    Set the mode of the user initialization files to <code>0740</code> with the following command: <pre>$ sudo chmod 0740 /home/<i>USER</i>/.<i>INIT_FI...
    Rule Medium Severity
  • All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

    Change the mode of interactive users home directories to <code>0750</code>. To change the mode of interactive users home directory, use the followi...
    Rule Medium Severity
  • Ensure that Users Have Sensible Umask Values

    The umask setting controls the default permissions for the creation of new files. With a default <code>umask</code> setting of 077, files and direc...
    Group
  • Ensure the Default Umask is Set Correctly in login.defs

    To ensure the default umask controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>UMASK</code> setting in <code>/etc...
    Rule Medium Severity
  • System Accounting with auditd

    The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and c...
    Group
  • Ensure the default plugins for the audit dispatcher are Installed

    The audit-audispd-plugins package should be installed.
    Rule Medium Severity
  • Ensure the audit Subsystem is Installed

    The audit package should be installed.
    Rule Medium Severity
  • Enable auditd Service

    The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to...
    Rule Medium Severity
  • Configure auditd Rules for Comprehensive Auditing

    The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings ...
    Group
  • Remove Default Configuration to Disable Syscall Auditing

    By default, SUSE Linux Enterprise 15 ships an audit rule to disable syscall auditing for performance reasons. To make sure that syscall auditing w...
    Rule Medium Severity
  • Ensure auditd Collects Information on Exporting to Media (successful)

    At a minimum, the audit system should collect media exportation events for all users and root. If the <code>auditd</code> daemon is configured to u...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules